The First Ransomware to Exploit Telegram Cracked and Decryptor Published

A security researcher whose name is Nathan Scott managed to break the encryption model employed by the Telecrypt ransomware.

The unusual characteristic that made this virus to stand out was the server-client connection method. This time ransomware creators decided to make use of the Telegram protocol, as opposed to HTTPS or HTTP like the majority of ransomware does nowadays.

Also Read: 7 Cases When Victims Paid Ransom to stop cyber attacks

Since it is dependent upon Telegram, Telecrypt requires an Internet connection to begin its harmful actions. Telecrypt is written in Delphi; the binary size is 3 MB. Telecrypt behavior starts when the victim launches its binary.

Before Telecrypt may encrypt any data, its owners have to set up a Telegram bot. For every single bot, the Telegram API presents a token ID.

Once victims click on the ransomware binary, the Telecrypt’s initial move is to ping the API at applying the hard coded bot token they obtained.

After that, Telecrypt employs the Telegram’s protocol to submit a message to a Telegram channel, whose ID is hard coded in the virus too.


This all makes Telecrypt unique, although its risk scope is not big because it attacks only Russian speaking audience. The ransom note also exists only in Russian language variant.

Also Read: Hackers Found Their Way Inside Telegram App

You can find the Telecrypt virus decryptor here. There are two files inside the decrypter itself and instructions inside the text file. The decryptor’s  user interface is straightforward and self-explaining, but it is still better to get acquainted with the instructions beforehand.


The decryptor requires admin rights to run. In Windows 10, for example, you just have to right-click and select “Run as Administrator.” In some older Windows versions, you should right-click the file, then go to Properties, after that choose Compatibility tab and finally find click on the “Run This Program As An Administrator.”

For the decryptor to work, users need to have both an encrypted and unencrypted versions of the same file. This requirement is very important for identifying the encryption key.

One can find unencrypted files in an email inbox or sent folder, cloud syncing drives like Dropbox or inside old backups.

After the decryptor discovers the encryption key, it is going to offer victims to decrypt either a list of files or files in the specific folder. You can find the list of all your encrypted files in “%USERPROFILE%/Desktop/База зашифр файлов.txt”

Also Read: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive

Although individual initiatives of ransomware decryption keep on going, a lot of malware analysts join the NoMoreRansom project which unites the virus researchers’ efforts to break the encryption of numerous types of ransomware.

Related Posts